Now both DNS servers are looking at the same upstream resolver, which hasn't changed. The path hasn't changed. Why is unbound's request resulting in a FormErr ? And the correct IP address is listed right there in the same line.

Problem found - turns out that unbound is not requesting recursion when talking to the remote resolver, but it is using EDNS to allow for larger replies.

That should be okay, except the remote resolver was an older version of PowerDNS that was unhappy with this combination.

I proved it using dig from a client talking to the remote resolver directly, by adding +recurse returned the bad "formerr" reply.

Turns out theres a project to upgrade the powerDNS servers, to get things like SQL backend instead of text file support, so this is a work in progress. We'll have to stay with dnsmasq / forwarder until the infrastructure is ready.